IP Layer Enforcement with the Umbrella Roaming Client

Overview

IP Layer Enforcement is an option in your policy configuration and you may have questions about it. It's found under Advanced Settings in the policy summary:

What is IP Layer Enforcement?

Cisco Umbrella already provides some of the most advanced threat protection and predictive security in the world but there are times when malware authors will use an IP address instead of a fully qualified domain name to host their malware. Since Umbrella primarily protects against malicious domains and URLs, we saw this as an area we needed to address.

Malware authors might use IP addresses that bypass DNS lookups when creating a threat. For instance, one of your users might receive a phishing email with a URL that has an IP address in it, for example, http://x.x.x.x/malware.exe while they're not in your office and protected by your firewalls. Or, a user may go home, insert an infected USB stick into their computer to look at their children's homework, and execute malware that contacts http://x.x.x.x:3000/malicious/bad.exe.

Normally, malware authors use domain names and not IP addresses. There's a good reason for that: IP addresses that host malware are quickly blocked or taken down by the ISP that owns them, but a domain name can always resolve to a new IP address. However, there are exceptions and we recognize that in order to provide the best possible security coverage, we'd need to block IPs in certain circumstances. Some IP addresses are simply known to be bad. Other IP addresses may host valid content on non-HTTP ports, while the web ports host malicious content. The inverse is also true: IP addresses can host legitimate HTTP websites but also host malicious command and control hosts on a non-standard port. The IP Layer Enforcement feature handles all of these scenarios.

Documentation for the IP Layer Enforcement

This feature requires several prerequisites be met. As such, the full documentation can be found here: